Yingcheep Atchanont, the director of local rights watchdog iLaw, and Arnon Nampa, a rights lawyer and activist, have filed a lawsuit against nine government agencies for violating their rights by using “Pegasus” spyware to steal private information. The plaintiffs are seeking damages of 2,500,000 baht each.
On 20 June 2023, Yingcheep and Arnon, the alleged targets of a Pegasus spyware surveillance operation, went to the Administrative Court to file a lawsuit against the nine government agencies they believe were involved.
These include the Office of the Prime Minister, the Ministry of Digital Economy and Society, the Royal Thai Army, the Royal Thai Navy, the Royal Thai Air Force, the Department of Special Investigation, the Ministry of Finance, and the National Cyber Security Committee (NCSC).
Their complaint states that the then-military government led by Gen Prayut Cha-o-cha, obtained a license to use Pegasus spyware from the NSO Group, an Israeli cyber security technology company. The purchase was approved by Israel’s Ministry of Defence and procurement was carried out by Thai Engineering Reward, a company that imports military and security technology.
Thai authorities provided the phone numbers of those designated for surveillance to the company, which accessed the targeted phones to gather information.
Pegasus spyware monitors mobile phone operations, allowing intruders unlimited access to conversations, financial transaction data, and even stored passwords. It can also be used to remotely control mobile phone cameras, microphones, and screen capture functions.
Yingcheep and Arnon first learned of the spyware attack through a notification from Apple stating that their mobile phones had been targeted. A computer forensic investigation later revealed that their phones had been infiltrated multiple times. The aim was presumably to track their political activities, infringing on rights guaranteed by the constitution and a number of international conventions.
Yingcheep’s mobile phone was infiltrated ten times, with each instance occurring around the time of pro-democracy protests. The most recent occurred after the Constitutional Court ruled that the speech of a political activist was an attempt to overthrow the government.
Arnon’s phone was targeted five times, each also coinciding with a pro-democracy protest. The most recent occurred while he was in a prison, shortly after he posted on Facebook about prison conditions.
The plaintiffs argue that such surveillance operations violate Article 32 of the Constitution, which guarantees the right to privacy. According to the law, violations of this right and the use of personal data by legal authorities must necessarily be in the public interest.
They further argue that using Pegasus spyware to access private information also violates the Computer-related Crime Act, which prohibits unauthorised access and interception of computer data. According to Articles 18 and 19 of the act, the interception of data requires a subpoena and can only be done to gather evidence in an ongoing investigation.
In a recent interview, Yingcheep stated that he, Arnon, and six other people also filed a lawsuit against NSO Group, The civil court refused to accept the suit, however, on the grounds that eight plaintiffs could not file a joint complaint and that each must file a separate lawsuit instead.
Asked about the challenges in investigating and preventing such attacks in Thailand, Yingcheep said that local authorities have a very limited understanding of spyware technology and still lack the wherewithal to investigate how it has been used.
Theoretically, the National Cyber Security Agency could play a role in protecting the public but its primary focus is on the prevention of cyber warfare attacks from foreign countries.
Yingcheep and Arnon are not the only victims of Pegasus spyware attacks. Since 2020, at least 30 critics of the Prayut Chan-o-cha administration have had their phones penetrated. The victims include political activists, academic critics of the junta, and NGO officers.